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ABSTRACT 



This invention relates to a method for generating a shared secret value between entities (Ej) in a 
data communication system, one or more of the entities having a plurality of members (Mij) for 
participation in the communication system, each member having a long term private key (Pnj) 
and a corresponding long term public key (Puy). The method comprises the steps of generating 
a short term private (Xy) and a corresponding short term public key (Xij)for each of the members 
(Mij); exchanging short term public keys (Xij) of the members within an entity (i). For each 
member then computing an intra-entity shared key by mathematically combining the short term 
public keys QCij) of each the members computing an intra-entity public key (Si) by 
mathematicaUy combining its short-term private key (Xy), the long term private key (Pnj) and the 
intra-entity shared key. Next for each entity combining intra-entity public keys (Sj) to derive a 
group short-tenn Si public key; each entity transmitting its intra-entity shared key (Xi) and its 
group short term public (SO key to the other entities; and each entity computing a common 
shared key K by combining its group short temi public key (Si), with the intra-entity shared key 
(Xi ) , and a group short teim public (Si) key received from the other entities. 
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SPLIT-KEY KEY-AGREEMENT PROTOCOL 

The present invention relates to the field of key agreement protocols in cryptographic 
systems. 

5 

BACKGROUND OF THE INVENTION 

Traditionally, entities communicated on paper and were able to ensure privacy in man y 
ways. With the transition firom paper to electronic media however, brings the need for electronic 
privacy and authenticity. In cryptographic schemes, the entities use primitives, which are 

10 mathematical operations together with encoding and formatting techniques to provide security. 
For each scheme the parties participating in the scheme normally agree upon or exchange certain 
inforaiation before executing the scheme function. The specific infonnation that needs to be 
agreed upon is detailed for each scheme. Such agreement may be achieved by any means 
suitable for the application. It may be implicitly built into the system or explicitly achieved by 

1 5 some sort of exchange of information with or without involvement firom other parties. In 
particular, parties often need to agree on parameters and obtain each other's public keys. For 
proper security, a party needs to be assured of the true owners of the keys and parameters and of 
their validity. Generation of parameters and keys needs to be performed properly and, in some 
cases, verification needs to be performed. 

20 In general, the different types of schemes may be defined as follows. Key agreement 

schemes, in which two parties use their public, private key pairs and possibly other information, 
to agree on a shared secret key. A signature scheme with appendix is a scheme in which one 
party signs a message using its private key and any other party can verify the signature by 
examining the message, the signature, and the signer's cross corresponding public key. In 

25 signature schemes with message recovery, one party signs a message using its private key and 
any other party can verify the signanire and recover the message by examining the signature and 
the signer's corresponding public key. Finally, in encryption schemes, any party can encrypt a 
message using the recipient's public key and only the recipient can decrypt the message using its 
corresponding private key. 

30 An example of a key derivation scheme is the MQV (Menezes-Qu-Vanstone). In the 

MQV scheme, a shared secret value is derived from one party's two key pairs and another 

1 
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party's two public keys where all the keys have the same discrete log (DL) parameters. In this 
generalized MQV scheme, it is assumed that the shared secret value is that which is shared 
between two parties. 

However, where each party or entity consists of a collection of parties say A = {Ai, 
5 A2...An} and B = {Bi, B2, ...Bm} where m is not necessarily equal to n and at least one of m or n 
is at least two (that is, not both A and B consist of one individual). It is difficult to implement 
the generalized MQV scheme if these two entities wish to establish a common key in order to 
communicate privately. 



Accordingly, the present invention seeks to provide a solution to the problem of 
establishing a common key for private communication between entities wherein the entities 
include a collection of sub entities. 

An advantage of the present invention is that all members of each entity must participate 
15 in the scheme and no subcollection of either entity can impersonate its entire entity. 

In accordance with this invention there is provided a method for generating a shared 
secret value between entities in a data communication system, one or more of the entities having 
a plurality of members for participation in the commimication system, each member having a 
long term private key and a corresponding long term public key, the method comprising the steps 



10 



SUMMARY OF THE INVENTION 



20 



of: 



(b) 
(c) 



(a) 



generating a short terra private and a corresponding short term public key for each of 
the members; 

exchanging short term public keys of the members within an entity; 
for each member. 



25 



(i) computing an intra-entity shared key by mathematically combining the 
short term public keys of each said member; 

(ii) computing an intra-entity pubhc key by mathematically combining its 



short-term private key, the long term private key and the first intra-entity 
key component; 



30 



(d) 



for each entity combining intra-entity public keys to derive a group short-term public 
key; 
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(e) each entity transmitting its intra-entity shared key and its group short term public key 
to the other entities; and 

(f) each entity computing a common shared key K by combining its group short term 
public key, the intra-entity shared key, and the short term public key of the other 

5 entities. 

BRIEF DESCRPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become more 
10 apparent in the foUowing detailed description m which reference is made to the appended 
drawings wherein: 

Figure 1 is a schematic diagram of a commimication system; and 

Fignre 2 is a schematic diagram of a protocol according to an embodiment of the present 

invention. 

15 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Referring to figure 1, a schematic diagram of a communication system is shown generally 
by numeral 10. The system 10 includes a fust entity A (12) and a second entity B (14) that 
exchange data over a commimication channel 16. Each of the entities A and B include members 

20 Ai, Az, and Bi, B2, respectively. It is assumed the entities A and B include processors for 
performing cryptographic operations and the like. The members Ai, A2 may for example 
represent a first group of users on a local area network (LAN) that wish to commimicate securely 
with a second group of users Bi, B2 on a second LAN or even on the same LAN. In either case 
the computations may be performed for the entities A (12) and B (14) by for example a LAN 

25 server or the like, provided that each member has its own secure boundary. 

Accordingly, the present protocol ensures that all members of each entity must participate 
in the scheme and no sub-collection of either entity can impersonate its entire entity. 

Furthermore, it is assumed that each entity and it's associated members Aj. Bj have been 
initialized with the same system parameters. The system parameters for this protocol are an 

30 elliptic curve point P, which is the generating point of an elliptic curve over F:"" of order x. 
Additionally, each of the members is initialized with respective public and private key pairs. 
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That is, the members Aj has long tenn private and public key pairs (a^, a,?) and the members Bi 
have long term private and public key pairs (bi, biP), respectively. 

The private key of the entity A is dien (ai + az) and its corresponding public key is (ai + 
a:) P. Similarly, for entity B its private key is (bi + b2) and its corresponding public key is (bi + 
5 hz) P. These public keys are published by the entities. 

Now assuming entities A (12) and B (14) wish to agree upon a common key, which may 
then be used for subsequent cryptographic communicatioiis between the activities. 

Referring thus to figure 2, a schematic diagram of an embodiment of the protocol 
according to the present invention is shown generally by numeral 40. The member Ai generates 
10 a random value xi ( its short term private key, also known as ephemeral or session key) and 
computes a corresponding value XiP( its short term public key), similarly, member A: generates 
a random value X2 and computes a corresponding value X2P. Preferably 0 < aj < n-1 and 0 < Xj < 
n-1. Next, the members A2 and Ai exchange their session public keys xiP and X2P. This may be 
termed a first intra-entity key exchange. 
15 Next, member Ai computes r = xiP + X2P and similarly, entity A2 computes r = X2P + xjP, 

Thus, establishing an intra-entity shared key. 

Next, each member Ai computes its short term intra-entity public key s\ using its short 
terra private key and long term private key combined with a fimction f of the intra-entity public 
key, that is S\ = Xi + ai f (r) (mod n), where f is typically a hash function such as SHA-1 and n 
20 is the order of the curve. Similarly, member A2 computes its intra-entity public key S2 = X2 + a2 f 
(r) (mod n.). 

The entity A transmits the intra-entity shared key r to the entity B. The entity A also 
computes an entity or group short term public key, which is derived from a summing of the intra- 
entity public key of each member s = si + S2 = xi-r X: + (ai + ^2) f (r) mod n. Entity A then also 
25 transmits the group short-term public key s to the entity B. 

The entity B similarly computes the analogous information using its own public and 
private keys using the same computations performed by entity A. Thus, B computes a intra- 
entity shared key r using the short term public keys of each of the members. Next, each of the 
members in B compute their own intra-entity public key ti = yi + bi f ( r ) mod n. The entity B 

30 then sends r to the entity A and computes the group short-term public key t = ti + tj which is 
transmitted to the entity A. 
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The entity A then computes a value K which is the shared key between the entities A and 

B by computing K = s ( r + (bP) f ( r )) = s(t)P. The entity B also computes K using t, r, and 
aP(ors). K = t(s)P. 

Consequently, if a member of the entity A, either Ai or A2, is not present in the scheme 
5 then the group short tenn public key, s, changes, as does the value for K, Therefore, 

communication with entity B would not be successful without establishing a new session. 
Similarly, if either Bi or B2 is not present in the scheme then the group short term public key, t, 
changes, altering the value of K. In this case, communication with A would not be successful 
without establishing a new session. 
10 Although the above scheme has been described with respect to the elliptic curve systems 

which is an additive group, it may analogously be used in multiplicative groups. Furthermore the 
above protocol although exemplified with two members per entity, may be generalized where 
each party or entity consists of a collection of members say A = {Au A2. . .An} and B = {Bu B2, 
.Bm} where m is not necessarily equal to n and at least one of m or n is at least two (that is, not 
15 both A and B consist of one individual). The notation may be generalized as follows: 



Ei 


entity i 


Mij - 


member j of entity i 


Ptij - 


long term private key of member (ij) 


PUij - 


long term public key of member (ij) 


PUi - 


long terra public key of entity (i) 


xij 


short term private key of member (ij) 


Xii - 


short term public key of member (ij) 




intra-entity shared key of entity i 


Si 


intra-entity public key of entity i 


Si 


group or entity short term public key of entity i 


Pi^i - 


long term public key received from the other entities 


Xi 


intra-entity shared key received from the other entities 


Si 


group or entity short term public key received from the other entities 



5 
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Although the mvention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art without 
departing from the spirit and scope of the invention as outlined in the claims upended hereto. 



6 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY 
OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1 . A mediod for generating a shared secret value between entities (£i) in a data communication 
system, one or more of said entities having a plurality of members (Mg) for participation in 
said communication system, each member having a long term private key (Pnj) and a 
corresponding long term public key (Puij) said method comprising the steps of: 

(a) generating a short term private (xy) and a corresponding short term public key {Xjj)for 
each of the members (My); 

(b) exchanging short term public keys (Xij) of the members within an entity (i); 

(c) for each member 

(i) computing an intra-entity shared key by mathematically combining said 
short term public keys (Xjj) of each said member, 

(ii) computing an intra-entity public key (sO by mathematically combining its 
short-term private key (xij), the long term private key (Pnj) and said intra- 
entity shared key; 

(d) for each entity combining intra-entity public keys (Si) to derive a group short-term Si 
public key; 

(e) each entity transmitting its intra-entity shared key (Xj) and its group short term public 
(Si) key to said other entities; and 

(f) each entity computing a common shared key K by combining its group short term 

public key (Si), with the intra-entity shared key ( Xi ) , and a group short term public 
(Si ) key received from the other entities. 

2. A method as defmed in claim 1, said long term public key being derived fixjm a generator 
point P and respective ones of said long term private keys. 

3. A method as defined in claim 2, said step (a) including each member selecting a random 
integer Xj and multiplying said point P by a to obtain XiP, the short term public key. 
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4. A method as defined in claim 3, said intra-entity-sharcd key being computed by summing 
said short term public keys XiP. 

5. A method as defined in claim 4, said intra-cntity public key Si being derived by computing 
Si= Xi + ai f(ZxiP), where f is a hash function. 

6. A method as defined in claim 5, said group short term public key being derived by 
computing Z Si. 

7. A method as defined in claim 1, said long term public keys (Puij) being derived firom a 
generator g and respective ones of said long term private keys (Piy). 

8. A method as defined in claim 7, said step (a) including the step of each member selecting a 
random integer (Xij ) and exponentiating a fimction h(g) including said generator to a power 
g(xij) to obtain die short term public key Xij = h(g) ^'''^\ 

9. A method as defined in claim 8, said intra-entity shared key (Xi) being computed by each 
entity multiplying each of its short-term public keys Xij together. 

10. A method as defined in claim I, including die step of exchanging long term public key of 
^ entity Pui between entities. 

11. A method as defined in claim 10, each entity computing a common shared key K by 
combining its group short term public key (Si), with the intra-entity shared key (Xi ) , and a 
long term public key of ( Pui ) received from the other entities. 
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